tech-security: Re: SE Linux vs SE NetBSD !!

Subject: Re: SE Linux vs SE NetBSD !!
To: John Nemeth <jnemeth@victoria.tc.ca>
From: Travis H. <solinym@gmail.com>
List: tech-security
Date: 08/30/2006 16:45:22
On 8/29/06, John Nemeth <jnemeth@victoria.tc.ca> wrote:
> } For example, we know in advance that sendmail will write to mail
> } spool files in /var/spool/mail.  And that it binds to TCP port 25.
>      We do?  Glad you know that.  As a point of fact, sendmail will do
> no such thing.  It will call an LDA (Local Delivery Agent) to do this.

Actually I knew that, having found a vuln (race condition) in NetBSD's
mail.local and having posted about it in bugtraq back in the early
90s.  It wasn't terribly relevant to the explanation, but you get a
star for dropping some mad sendmail science on my apparently
ignorant self.  Wear it with pride. -> *

>      However, that doesn't mean they don't need protection.  It is well
> known that many attacks come from inside the firewall.

I have heard the "insider threat" argument a lot, and it appears that
various vendors attempting to sell products will bandy some statistic
or another about this.  If my NIDS showed someone rooting my servers,
they'd have a chat with me and my LART (luser attitude readjustment
tool).

You're right, it doesn't mean they don't need protection, which is why I said
"as much attention" instead of "no attention".

There's lots of cases where the perimeter is breached.  A big one is
road warrior
salespeople who bring worms in on their laptops, and Windows users who
execute malware.

> Of course, for
> real security, you shouldn't be using plain NFS.  Also, we don't know
> when somebody might breach the firewall or the firewall administrator
> might make a mistake.  Defense in depth and all that.

All true.

What options exist apart from NFS and SMB?  I think there was one
called coda, and AFS, and Linux has sshfs (requires a kernel module on
the client)... anything else?

I'd really like to see a filesystem that exports all the attributes of
the fs it is
exporting.  Right now all my files from the NFS server are typed nfs_t, not
what they are typed as they appear on the file server.  I suppose NFS doesn't
support either the lsattr kind of attributes, nor the SELinux kind.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484